73f6a487c5a63712da5f3d8f3af330ea31b6647afb62f2f082d0ab0f4481ad83

Analysis

Target

73f6a487c5a63712da5f3d8f3af330ea31b6647afb62f2f082d0ab0f4481ad83.dll
Size

28KB
MD5

ce1e907e5709d82ce68748e16e53f3d1
SHA1

6730bafd618c8ad45bbcc6054566cb34e9d156ee
SHA256

73f6a487c5a63712da5f3d8f3af330ea31b6647afb62f2f082d0ab0f4481ad83
SHA512

d0f3803812655929b6ba1e2098269093a09e7b8fdba0b8fec43da15b2856c540101314b683555caf7cc770add122af20819ca002da67d61c30d314acb434ea83

Score

8^/10

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	876	rundll32.exe
6	876	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
876	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28
PID 376 wrote to memory of 876	376	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73f6a487c5a63712da5f3d8f3af330ea31b6647afb62f2f082d0ab0f4481ad83.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\73f6a487c5a63712da5f3d8f3af330ea31b6647afb62f2f082d0ab0f4481ad83.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:876

memory/876-55-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download